Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER

Meet the VMRay Team at the SANS SOC Summit in Arlington, VA June 5-6 and learn how VMRay Analyzer is virtually impossible for malware to evade. Download the latest whitepaper from the VMRay Research Team, "Defeat Evasive Malware". You'll learn how malware evades an analysis environment by using event-based triggers and exploiting sandbox weaknesses. http://www.sans.org/info/195310

TOP OF THE NEWS

A US defense contractor appears to have stored top secret US intelligence data on a publicly-accessible Amazon cloud storage server. The account has been linked to contractors Booz Allen Hamilton. The data are related to the US National Geospatial-Intelligence Agency, which provides battlefield satellite and drone surveillance imagery.

[Editor Comments]

[Pescatore] Skyhigh Networks has published data showing a high percentage of cloud-based Outlook email are also using other features of Office365, in particular OneDrive cloud-based storage. The data also shows that 15-20% of the data users put in OneDrive is violating policy against such external storage. Their data focuses on Office365, but the same issues are likely true across other cloud-based email services. The biggest deterrent to this happening is IT offering users a standard and approved service. Monitoring of data being stored at cloud services is also available through a number of vendors, these days often called Cloud Access Security Brokers.

[Williams] While NGA is claiming that this data is sensitive but unclassified, it is clear that it should not have been unprotected in the Amazon cloud. Amazon has a special Gov Cloud environment that can be used for more sensitive data when multi-tenant concerns exist. Obviously this special protected enclave wasn't used for this data and of course multiple other security issues exist here. Some organizations think that moving to the cloud will automatically make them more secure. More often than not however, cloud adoption actually creates security issues rather than eliminating them.

[Neely] DHS requires the use of FedRAMP certified CSPs, which includes requiring access to government data over a TIC and the use of strong authentication. These do not mesh well with directives of cloud first and necessary open collaboration with the private sector, which is needed for the US to be competitive. Solutions are being implemented quickly to meet project deadlines which results in circumventing or ignore the required controls, underscoring the need for deeper understanding of how data in the cloud is secured, protected and accessed.

OneLogin Breach
(May 31 & June 1, 2017)

Password manager OneLogin has acknowledged that some of its customer data have been compromised. The breach appears to affect US data centers. OneLogin is urging its customers to change their passwords and generate new API keys and OAuth tokens. In an email to customers, OneLogin wrote that "customer data was compromised, including the ability to decrypt encrypted data."

[Editor Comments]

[Pescatore] To paraphrase an old saying "If you are going to put all your username/password pairs into someone else's basket, make sure it is a really, really secure basket - and that you can quickly recover if it isn't." OneLogin said "threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US" but not how the keys were obtained. In past compromises of users of the major cloud services, the user company's cloud admin was phished and login and/or keys compromised. Points out the need for strong authentication for all admin accounts, including cloud admins.

Google Improves Gmail Security for Enterprise Users
(May 31, 2017)

Google is adding security features to Gmail for its enterprise users to protect them from phishing, malicious links, and malware. Google is using machine-learning detection to block spam and phishing emails. Users will also see warnings when they click on suspicious links and when they attempt to send protected data to an address outside the company.

[Editor Comments]

[Pescatore] Google blocking more is good, but imagine if ISPs ever took initiative (or were required) to do the same thing closer to the source. If only the serious attacks reached the endpoints, the reduction in noise alone would make it much easier to quickly detect a targeted or zero day attack that got through.

US federal contractors wishing to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats.

THE REST OF THE WEEK'S NEWS

Fireball Adware
(June 1, 2017)

Malware known as Fireball has made its way onto 20 percent of corporate networks around the world. According to Check Point, the browser-hijacking malware has infected more than 250 million computers. Fireball makes its way onto computers as part of a software bundle. Fireball "currently... installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any malware." While Check Point has classified Fireball as malware, a Chinese digital marketing company is using it as a research tool.

Linux Sudo Patches
(June 1, 2017)

Updates for several Linux distributions are available to address a flaw in Sudo. The vulnerability allows an attacker to use bash commands to create malicious sudo commands that can overwrite any file on the affected system. The issue affects Sudo and SELinux.

[Editor Comments]

[Williams] In order for a user to exploit this vulnerability, they must already be in the sudo group for at least one command and SELinux must be enabled. The majority of users should not have sudo privileges for any commands. This is a great time to review your sudo permissions enterprise wide. Also relevant, I gave a talk last year that shows how attackers use common sudo misconfigurations for privilege escalation (https://www.youtube.com/watch?v=kuE2yqULs-Y).

Nine Indicted in Car Theft Ring
(May 31 & June 1, 2017)

The US Department of Justice has indicted nine members of a motorcycle gang in connection with a car theft scheme in which they allegedly used stolen automobile dealer credentials and handheld diagnostic tools to program and cut duplicate keys for hundreds of Jeep Wrangler vehicles. They would then allegedly steal the vehicles and strip them for parts. Three of the nine people named in the indictment have been arrested.

NTFS Flaw Can Be Exploited to Crash Systems
(May 26, 30, & 31, 2017)

A flaw in Windows NTFS could be exploited to crash vulnerable systems. The issue affects Windows Vista, 7, and 8.1, but not Windows 10. If $MFT is used as part of a directory path, the system will crash. Current versions of Chrome will block images with malformed directory paths.

When is a Chrome Flaw Not a Flaw? When Google Says So
(May 31, 2017)

Google says that a situation in Chrome in which a website can record audio and video from a user's computer without displaying the red recording light on the tab is not a security issue. Instead, the problem is a user issue, according to Google, because users have to give websites permission to record. "The dot is a best first-effort that only works on desktop when we have Chrome UI space available," wrote Google in its response to the Chrome bug report. "That being said, we are looking at ways to improve this situation." The researcher who discovered the issue notes that users are not always aware of what they are allowing when they grant website permissions.

NIST Draft Guide on Secure Inter-Domain Routing
(May 31, 2017)

The US National Institute of Standards and Technology (NIST) has released draft guide titled "Secure Inter-Domain Routing: Route Hijacks." Focusing on solutions to security problems present in the widely used Border Gateway Protocol (BGP), the document aims to "provide security recommendations for the use of Inter-domain protocols and routing technologies." The comment period on the draft document closes on June 29, 2017.

Companies Prepare Fixes for Samba Vulnerability
(May 31, 2017)

Companies with products affected by the Samba vulnerability are readying fixes. Cisco is developing fixes for two of its products and is looking into the need for fixes for 11 additional products. Netgear has already pushed out patches for some products and is investigating which other products may also require patches.

RADIUS Server Flaw
(May 29 & 30, 2017)

FreeRADIUS developers have released an update to fix an authentication bypass issue in the server. The vulnerability lies in the way the FreeRADIUS TLS session cache behaves, allowing an attacker to potentially bypass authentication via PEAP or TTLS. The flaw affects FreeRADIUS versions 3.0.14 and earlier.

Wannacry coding errors may enable data recovery
(June 1, 2017)

Researchers at Kaspersky Labs have found errors in the software that may enable the recovery of impacted machines. Free utilities have been made available to attempt recovery which only work if the infected computers haven't been turned off, or rebooted.